The hacker group behind this campaign is the notorious Chinese APT group called Mustang Panda, while the prime targets of the attack are government and political organizations across Asia and Europe.
Mustang Panda, a notorious Chinese APT group, has reportedly deployed a new, custom backdoor dubbed MQsTTang. Slovak cybersecurity firm ESET has analyzed this campaign that started in early 2021.
According to ESET researcher Alexandre C.T. Cyr MQsTTang, a previously unseen custom backdoor was used in a social engineering campaign that started in January 2023.
This backdoor isn’t based on any existing family of malware or publicly available projects. ESET stated that attackers have used decoy filenames that align with their previous campaigns targeting European political organizations.
Who are the Targets?
ESET assessed that attackers are targeting unknown identities in Australia and Bulgaria. They have also focused on entities in Asia and Europe; a government institution in Taiwan is among the targets. According to the researchers, this campaign is still ongoing.
About Mustang Panda
This cyber-espionage group is also known as “Bronze President” and “TA416.” They usually rely on customized Korplug variants or PlugX and intricate loading chains. In this case, however, the group has used an unusual tactic by creating malware with just one stage and no obfuscation techniques.
Mustang Panda has targeted organizations across the globe and stolen data using their custom RAT, PlugX. However, this time, Mustang Panda developed the MQsTTang backdoor malware to make detection more difficult and attribution harder. In addition, the group has started using other custom tools, such as PUBLOAD, TONESHELL, and TONEINS.
How Does the Attack Work?
The malware has been characterized as a bare-bones backdoor, which allows the attacker to execute remote commands on the compromised device. MQTTang is distributed via spear-phishing emails, and payloads are downloaded through GitHub repositories created by a user associated with previously-discovered campaigns of this APT group.
The MQsTTang executable is compressed in RAR archives and named after a diplomatic theme, such as passport scans of the embassy and diplomatic mission personnel. When launched, the malware creates a copy of itself with a command-line argument to perform tasks such as enabling C2 communications or ensuring persistence.
An unusual thing about MQsTTang is that it uses the MQTT protocol for C2 communications to maintain resilience to C2 takedowns, hide infrastructure the hackers used through involving a broker for passing communications, and check for debuggers/monitoring tools to evade detection, etc.
“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families,” ESET’s report read.